ISSA Infraguard ISACA Tampa 06192009

Mo’ Money
Mo’ Problems
Making A LOT more money on the Web
the black hat way

Jeremiah Grossman
Founder & Chief Technology Officer

06.19.2009

© 2009 WhiteHat, Inc.

Jeremiah Grossman
• Technology R&D and industry evangelist
(InfoWorld's CTO Top 25 for 2007)
• Frequent international conference speaker
• Co-founder of the Web Application Security Consortium
• Co-author: Cross-Site Scripting Attacks
• Former Yahoo! information security officer

© 2009 WhiteHat, Inc. | Page 2

WhiteHat Security
• 200+ enterprise customers
• Start-ups to Fortune 500

• Flagship offering “WhiteHat Sentinel Service”
• 1000’s of assessments performed annually

• Recognized leader in website security
• Quoted hundreds of times by the mainstream press


Threat Capabilities

Threats / Attackers Fully Targeted
Discover unlinked / hidden functionality
Exercise business processes
Customize Business Logic Flaw Exploits
‘The Analyzer’, allegedly hacked into a multiple financial
institutions using SQL Injection to steal credit and debit card Leverage information leakage
numbers that were then used by thieves in several Interact with other customers
countries to withdraw more than $1 million from ATMs. Perform multi-stage attacks
Geeks.com, Guess, Petco, CardSystems, USC, etc. Directed Opportunistic
Authenticated crawling
Authenticated attacks
Cyber criminals use XSS vulnerabilities to create very
Intelligent HTML form submission
convincing Phishing scams that appear on the real-
website as opposed to a fake. JavaScript malware Test for technical vulnerabilities
steals victims session cookies and passwords. Customize exploits
Y! Mail, PayPal, SunTrust, Italian Banks,etc SQL Injection (data extraction)
Cross-Site Scripting (Phishing)
Random Opportunistic
Unauthenticated crawling
With Mass SQL Injection automated worms insert
Unauthenticated attacks
malicious JavaScript IFRAMEs (pointing to malware
servers) into back-end databases and used the capability Test all attack surface discovered
to exploit unpatched Web browsers. According to Destructive attacks
Websense, “75 percent of Web sites with malicious code Automated HTML form submission
are legitimate sites that have been compromised.” SQL Injection (code insertion)
Persistent Cross-Site Scripting
Advanced Filter Evasion Techniques
Generic exploits

Website Classes of Attacks
Business Logic: Humans Required Technical: Automation Can Identify
Authentication Command Execution
• Brute Force • Buffer Overflow
• Insufficient Authentication • Format String Attack
• Weak Password Recovery Validation • LDAP Injection
• CSRF* • OS Commanding
• SQL Injection
Authorization • SSI Injection
• Credential/Session Prediction • XPath Injection
• Insufficient Authorization
• Insufficient Session Expiration Information Disclosure
• Session Fixation • Directory Indexing
• Information Leakage
Logical Attacks • Path Traversal
• Abuse of Functionality • Predictable Resource Location
• Denial of Service
• Insufficient Anti-automation Client-Side
• Insufficient Process Validation • Content Spoofing
• Cross-site Scripting
• HTTP Response Splitting*
WASC 24 (+2)* Classes of Attacks
http://www.webappsec.org/projects/threat/

WhiteHat Security Top Ten
Percentage likelihood of a website
having a vulnerability by class

Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Splitting

Total Websites: 1,031
Identified vulnerabilities: 17,888, Unresolved: 7,157 (60% resolution rate)
Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82%
Lifetime average number of vulnerabilities per website: 17
Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63%
Current average of unresolved vulnerabilities per website: 7

WhiteHat Website Security Statistics Report (March 2009)
http://www.whitehatsec.com/home/resource/stats.html

QA overlooks them
Tests what software should do, not what it can be made to do

Scanners can’t identify them
Lack intelligence and don’t know if something worked (or not)

WAFs / IDSs can’t defend them
HTTP requests appear completely normal

Hackers exploit them
230+ millions websites, 1+ million using SSL


Promo codes for
cheapskates
Online advertising campaigns
distribute coupon and promo codes
redeemable for discounts and
other freebies. Some codes are
more valuable than others.


• X% and $X off sales
• Free Shipping
• 2 for 1 Specials
• Add-Ons & Upgrades


MacWorld Hacker VIP
Client-Side Hacking
Back to Back Free MacWorld Platinum Pass
($1,695)

http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html
http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html
http://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html

Free Pizza Tastes Better
March 31, 2009...
1. Go to the Domino's Pizza site.
2. Order a medium one-topping pizza.
3. Enter coupon code “BAILOUT”. FREE!

Still have to go pick it up!


Share the Knowledge
“Spoke to a Domino's rep, who told me the free-pizza code was
created internally for a promotion that was never actually green-lit.”

11,000 X $7.00 =

$70,000
Oops!

http://consumerist.com/5193012/dominos-accidentally-gives-away-11000-pizzas-in-bailout-promotion
http://news.cnet.com/8301-13845_3-10207986-58.html
http://offtopics.com/sales-coupons-promo-codes/1797-free-papa-johns-pizza-coupon-code-hack.html


Other Tricks

• Guess / Brute Force
• (No CAPTCHAs)
• Stacking Multiple Codes
• Delete Cookies (Don’t Forget Flash)


Low-Tech
Google Hacking
When Google becomes a major
source of public record, interesting
opportunities begin to arise.


Super BlackHat SEO
Target large universities with public webcams
and redirect the feeds to a subscription website.

Call in bomb threats (hoax) to Boston College,
Purdue, Clemson, University of North Carolina,
and Florida State to drive traffic.

Advertise live police response video footage via
Skype and profit ($?)

Juvenile male suspect arrested.

http://www.bcheights.com/home/index.cfm?
event=displayArticlePrinterFriendly&uStory_id=14cd304c-26e2-40ab-a51d-4a2d79274cd9


Google Earth Recon
Roofer Tom Berge used the aerial
photographs of towns across the world,
to pinpoint museums, churches and
schools across south London with lead
roof tiles (darker colour).
Berge and his accomplices used ladders
and abseiling ropes to strip the roofs and
took the lead away (£100,000) in a
stolen vehicle to be sold for scrap.
sentenced to eight months in prison –
suspended for two years – after
confessing to more than 30 offenses.
http://www.independent.co.uk/news/uk/crime/thief-googled-163100000-lead-roofs-1645734.html
http://www.telegraph.co.uk/news/uknews/4995293/Google-Earth-used-by-thief-to-pinpoint-buildings-w
valuable-lead-roofs.html


Google Maps vs. Spammers

http://blumenthals.com/blog/2009/02/25/google-maps-vs-locksmiths-spammers-spammers-winning/
http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html


Buyers Remorse
People order things online, then
change their minds, and cancel.
Strict management processes
need to be in place.


Quantina Moore-Perry, 33, of Greensboro, N.C.,

Ordered (then cancelled) over 1,800 items online at
QVC including handbags, housewares, jewelry and
electronics

Products were shipped anyway

Auctioned off on eBay

Profited $412,000
Woman admits fleecing shopping network of more than $412,000
http://www.theregister.co.uk/2007/10/30/website_fraud_guilty_plea/
http://consumerist.com/consumer/crime/woman-exploited-bug-on-qvc-website-to-steal-over-400
merchandise-317045.php
http://www.msnbc.msn.com/id/21534526/

“QVC became aware of
the problem after being
contacted by two people
who bought the items,
still in QVC packaging, on
the online auction site.”

Pleaded guilty in federal court to wire fraud.


FTC - Unordered Merchandise
http://www.ftc.gov/bcp/edu/pubs/consumer/products/pro15.shtm


iCan fix you iPod
Sometimes electronics break or
are defective and customers
would like to return the item.
Online systems are designed to
facilitate this process.


Nicholas Arthur Woodhams, 23 from Kalamazoo,
Michigan sets up shop online to repair iPods.

Abuse Apple's Advance Replacement Program
by guessing iPod serial numbers backed with
Visa-branded gift cards ($1 pre-auth).

Repeat the process 9,075 times, resell the
“replacements” at heavily discounted prices ($
$49), and deny any Apple credit charges.

Charged with trademark infringement, fraud, and
money-laundering.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_head
http://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.html
http://www.appleinsider.com/articles/08/06/26/apple_makes_example_of_ipod_repairman_in_lawsuit.html
http://launderingmoney.blogspot.com/2009/03/money-laundering-charges-for-kalamazoo.html


Scams that scale

“Federal prosecutors have asked U.S.
District Court Judge Robert Bell to let
them seize real estate and personal
property -- including a 2004 Audi and a
2006 drag racer -- as well as more than
$571,000 in cash belonging to
Woodhams, all alleged to be proceeds
from his scam.”


Magic Cookies
Online merchants and advertisers
enlist the services of affiliate networks
to drive traffic and/or customers to
their websites in exchange for a share
of the revenue generate.


The Players
Merchant: Pays commissions to affiliates for customer
clicks, account sign-ups, purchases, etc.
Affiliate: Collects commissions for driving customers
towards merchants in the form of cost per-click (CPC)
or cost per-acquisition (CPA).
Customer: The person who buys stuff or signs-up for
promotions.
Affiliate Network: Technology framework connecting
and monitoring the merchant, affiliate, and customer.


The way it’s supposed to
1. Affiliate signs-up with an affiliate network and places special links on
their web page(s)
<a href=”http://AffiliateNetwork/p?
program=50&affiliate_id=100/”>really cool product!</a>

2. When users click the link their browser is sent through affiliate
network where they receive a special tracking cookie and then
redirected to the merchant page.
Set-Cookie: AffiliateID=100

3.If the customer buys something within X time period (i.e. affiliate
cookie still exists) the affiliate receives a commission.

Using effective SEO tactics...


http://hubpages.com/hub/Google_Adsense_King_-_1_Million_Dollars_Check_-_Markus_Frind_Exclusive_Interview

“It was a check for 2 months because the first check they
sent was so big it was rejected by his bank.”


Cookie-Stuffing Circa 2002
Nothing besides pesky affiliate networks terms of service
requires the user to actually “click a link” to be cookied with
an affiliate ID.
Instead of:
<a href=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>really
cool product!</a>

Use:
<img src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>

or:
<iframe src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”
width=”0” height=”0”></iframe>

Invisible!
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
http://www.cgisecurity.org/2008/08/affiliate-progr.html


Aggressive affiliates figure out they can post their code anywhere
online and not just on their own websites (message boards, guest
books, social networks, etc).

By 2005, Merchants and Affiliate Networks got wise to
cookie stuffing, start monitoring referers and conversion
rates, and began kicking out suspicious affiliates.

http://www.blackhatworld.com/blackhat-seo/
http://www.seoblackhat.com/forum/


Cookie-Stuffing Circa 2007
Affiliates start posting their code on SSL pages.

“Clients SHOULD NOT include a Referer header field in a (non-
secure) HTTP request if the referring page was transferred with a
secure protocol.” - RFC 2616

Bottom line: No referer is sent to the affiliate to be tracked.
FYI: Not every browser behaves this way, but there are many
other methods to do the same using meta-refreshes and
JavaScript.

SEO Code Injection
http://technicalinfo.net/papers/SEOCodeInjection.html


Trading on Semi-
public Information
Insider: someone with a fiduciary
role within a company. A corporate
executive, investment banker or
attorney. Not a hacker.


Getting the word out...
Business Wire provides a service where registered website users receive a
stream of up-to-date press releases. Press releases are funneled to
Business Wire by various organizations, which are sometimes embargoed
temporarily because the information may affect the value of a stock.
Press release files are uploaded to the Web server (Business Wire), but not
linked, until the embargo is lifted. At such time, the press release Web
pages are linked into the main website and users are notified with URLs
similar to the following:
http://website/press_release/08/29/2007/00001.html
Before granting read access to the press release Web page, the system
ensures the user is properly logged-in.


Just because you cannot see it does
not mean it is not there...
An Estonian financial firm discovered that the press release
Web page URLs were named in a predictable fashion.
And, while links might not yet exist because the embargo was
in place, it didn’t mean a user couldn’t guess at the filename
and gain access to the file. This method worked because the
only security check Business Wire conducted was to
ensure the user was properly logged-in, nothing more.
According to the SEC, which began an investigation, Lohmus
Haavel & Viisemann profited over $8 million by trading on the
information they obtained.

SEC Vs. The Estonian Spiders
http://www.webpronews.com/topnews/2005/11/02/sec-vs-the-estonian-spiders

A Ukrainian hacker breaks into Thomson
Financial and steals a gloomy results
announcement for IMS Health, hours
before its release to the stock market ...
• Hacker enters ~$42,000 in sell orders betting the stock will fall
• The stock fell sharply making the hacker ~$300,000
• Red ﬂags appear and the SEC freezes the funds
• Funds are ordered to be released, “Dorozhko’s alleged ‘stealing and
trading’ or ‘hacking and trading’ does not amount to a violation” of
securities laws, Judge Naomi Reice Buchwald
• The Times speculates that the DoJ has simply deemed the case not
worth pursuing - probably due to the difﬁculties involved in gaining
cooperation from local authorities to capture criminals in Ukraine.
Ukrainian Hacker Makes a Killing in Stock Market Fraud
http://blog.wired.com/27bstroke6/2008/02/ukrainian-hacke.html

Ukrainian hacker may get to keep profits
http://www.vnunet.com/vnunet/news/2209899/hacker-keep-profits

Pump and Dump Scams Evolve
A large traffic spike on a Sunday night pushed a 2002 story of a
bankruptcy filling by United Airlines to the most viewed business story
category on the South Florida Sun Sentinel's Web site.

Google indexed the new link and the story appeared on Google
News.

A Miami advisory firm performed a Google search for bankruptcies
Monday morning that returned the 2002 UAL story, which they
mistook as being current, and was subsequently distributed through
the Bloomberg News Service.

United Airlines' stock price sank more than 75%, slipping down
from $12 to a $3 level before trading was suspended. After the dust
settled, shares returned to near normal levels.

http://blog.wired.com/27bstroke6/2008/09/six-year-old-st.html
http://consumerist.com/5048362/google-placed-wrong-date-on-ual-story-stock-yo+yo-ensues
http://www.forbes.com/2008/09/08/ual-tribune-bankruptcy-biz-media-cz_ja_tvr_0908ualstory.html
http://www.theregister.co.uk/2008/09/10/ua_bankruptcy_farce/


Hackers for Hire

The cybercrime industry posses
sophisticated business models that
include Software-as-a-Service,
SLA agreements, and discrete
distribution of services. Hackers
and Botnets can be easily rented.


Online Permit Management
In 2006, the Brazilian environment ministry did away
with paper dockets and implemented an online program
to issue permits documenting how much land a
company could legally log and tracking the timber
leaving the Amazon state of Para.

"We've pointed out before that this method of
controlling the transport of timber was subject to fraud.”

André Muggiati
Campaigner Amazon office in Manaus
Greenpeace International


Amazonian Rainforest Hack
Allegedly 107 logging companies hired
hackers to compromised the system,
falsifying online records to increase
the timber transport allocations. Police
arrested 30 ring leaders.

As a result an estimated 1.7 million
cubic metres of illegal timber have
been smuggled out of the Amazon,
enough to fill 780 Olympic-sized
swimming pools.

http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo
http://www.scientiﬁcamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16


$833,000,000
Tip of the iceberg: same computer system is used in two
other Brazilian states.

http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo
http://www.scientiﬁcamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16


Other Permits Managers


Hiring the Good Guys
KPMG audited 70 FAA
Web applications and
identified 763 high-risk
vulnerabilities

“By exploiting these vulnerabilities, the public could
gain unauthorized access to information stored on
Web application computers. Further, through these
vulnerabilities, internal FAA users (employees,
contractors, industry partners, etc.) could gain
unauthorized access to ATC systems because the
Web applications often act as front-end interfaces
(providing front-door access) to ATC systems.”

http://news.cnet.com/8301-1009_3-10236028-83.html
http://www.darkreading.com/security/government/showArticle.jhtml
http://www.oig.dot.gov/StreamFile?ﬁle=/data/pdfdocs/ATC_Web_Report.pdf


Business logic flaws = $$$
Prime target for the bad guys.

Test often, test everywhere
Threat Model. Not all vulnerabilities can be identified in the
design phase, by analyzing the code, or even during QA.

Detect attacks by profiling
HTTP requests appear legitimate, but active attacks will
appear anomalous. He who has the most points, credits, or
in-system cash is probably a cheater.


Google Hacking - $ low six figures

Scamming eCommerce - $ mid six figures

Manipulating return policy systems - $ high six figures

Exploiting Affiliate Networks - $ seven figures

Gaming the stock market - $ high seven figures

defrauding online permits - $ high nine figures

Free pizza with secret coupon codes...
PRICELESS


Questions?
Why aren’t you doing this?

Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com

WhiteHat Security
http://www.whitehatsec.com/


ISSA Infraguard ISACA Tampa 06192009

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (7)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

ISSA Infraguard ISACA Tampa 06192009